System for securely transporting objects in a tamper-proof container, wherein at least one recipient station is mobile and portable

ABSTRACT

A system for securely transporting valuables enclosed in a container which responds to attempted tampering by damaging said valuables and is provided with internal control means operating as a limited-mode machine that may include at least some of the elements of a series consisting of a user such as a dispatcher, a recipient or an escort, a container, and a single remote host capable of communicating with the internal control means of said container, at least at the time of departure. The elements are interconnected via a single terminal to form a star network of stations with said station at the center. The system is characterized in that the station of at least one recipient is not a resident station but a mobile and portable station.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to a system for the protection of valuabledocuments or objects such as means of payment, bank notes, cheques orbank cards, enclosed in a physically burglar-proof container, called acontainer throughout the rest of this description, passing through asequence of a restricted number of identified logical states, and whichwill destroy the contents by appropriate means in the case of anaggression.

2. Description of the Related Art

A protection system of this type is described in detail in Europeanpatent EP-0.409.725, and it is characterized in that the container isprovided with internal management means operating like a machine with“limited modes” in which the operating cycle comprises a restrictednumber of logical states called “modes”, the transition from a firstmode to a second mode being the consequence of an isolated event, andthe acceptability of this event being, or having previously been,checked by independent means that can be put into contact with the saidinternal management means of the container, the said transition thenbeing accompanied by loss of memory of the previous mode.

According to the previous patent, the system can be used for protectionof cash placed in a container, for example by the manager of a bankagency called the sender to be transported by a transporter, for exampleto a branch of this bank agency; the sequence of logical states, andconsequently the transfer of responsibility, is controlled by a singlecomputer that consequently acts as supervisor to manage the logicalsecurity of the containers, in other words to verify the acceptabilityof transitions from some operating modes of their internal managementmeans, to other modes; in this respect, it is worth mentioning threeparticularly significant examples of transitions:

a) the only way to protect the cash during transport is by thecontainer: in this case the system then consists of the container alone,

b) at the time of delivery after transport, the only way of interruptingthe mode in which the container was placed at the beginning of thetransport operation, and which is all that it remembers, is a source ofthe information external to the container; the system must then beextended to include the external source of information, in other wordsthe computer, which the container must firstly recognize as a reliableand safe partner,

c) after delivery, protection of the cash contained in the container isstill complete, since it cannot be opened until the system is extendedto include a second external information source, namely the user of thiscash (in other words the addressee, the sender or the transporter) whomust in turn be recognized as a reliable and safe partner by thecontainer and the supervising computer.

Transitions between these three types of mode control the transfer ofresponsibility attached to the protection of the cash, regardless ofwhether or not the cash is enclosed in the container.

According to one fundamental characteristic of the previous document,the container, the computer, the sender or the addressee and thetransporter are linked at the departure and arrival to a single terminalcalled a “station” which forms the departure point and arrival point ofa star network, in which the said station is the center. Therefore,there is a first station at the departure location of the container, andat least one other station at its arrival location. The use of this typeof station connecting all parties concerned in a star configuration,helps to significantly simplify interfaces necessary for the saidparties to dialog with each other. Consequently, the stations comprisethe sophisticated electronic interfaces and containers and users simplymanage an elementary connection dialog with these stations; obviously,the supervising computer itself manages more complex exchanges andactually forms a server center remote from all stations, all users andall containers, which provides it with efficient protection againstlogical and physical aggression.

Finally, in addition to the structural confidentially of stations, allcommunications between two parties and the system make use of a protocolin which the party who receives a message can authenticate the party whois supposed to have sent the message, and an acknowledgement ofreception can also be made for this authentication.

This type of protection system is particularly useful for all cashtransfers made as part of a routine and especially with a repetitivenature, for example such as transfers between a bank and its variousagencies; it is then quite appropriate to install permanent terminals atthe arrival and at the departure points, these permanent terminals beingcalled “residue stations” in the prior document mentioned above, whichact as interfaces between the container(s) physically used for thetransfer of cash, the person (in other words the sender, transporter andlater the addressee) and the server center, also called the supervisingcomputer.

However many circumstances arise in which it is necessary tooccasionally or temporarily transfer or collect cash from or tolocations that may vary considerably in different periods; particularlyto provide a service for the safe transfer of cash, or for any categoryof small business for which the service frequency is inherently veryvariable.

SUMMARY OF THE INVENTION

It is easily understandable that in all these cases, it is noteconomically viable to install sophisticated resident equipment, andthis is why this invention proposes that resident stations would bereplaced by portable or mobile stations at the destination point; it isthen quite conceivable that this type of solution could be very flexiblein use for the transporter, to the extent that it does not require anyprior installation of equipment and the customer can enjoy very shortservice start up times, which gives the transporter a decisivecommercial advantage; this is the case particularly for events such astrade fairs, markets, exhibitions, or to be able to pick up or delivercash from or to shops. Note also that even when transporting cashbetween banks, many cases are only single deliveries in which cash istransferred immediately and for which no secure storage is required; amobile station is also quite suitable for this type of service, andconversely installation of a resident station would be inconceivable,making the protection system as described in the previous patentmentioned above unusable.

Consequently, this invention proposes a system for secure transport ofsecurities and particularly means of payment, bank notes, checks or bankcards from a central departure site to a destination site, enclosed in acontainer which in case of aggression will cause their destruction byappropriate means, and which is provided with internal management meansoperating like a “machine with limited modes”, in which the operatingcycle comprises a restricted number of logical states called modes, thetransition from a first mode to a second mode being the result of anisolated event, the acceptability of which being or having previouslybeen checked by independent means capable of making contact with thesaid internal management means, the said transition then beingaccompanied by erasure of memory of the previous mode, the said systembeing constructed so that a user of the securities, who may be a sender,an addressee or a transporter, may utilize a container in connectionwith a single server center in a remote location capable of getting intocontact with internal management means of the said container, at leastwhen it is at the departure point, to check the acceptability of anevent that causes a transition from one mode to another mode, the saidelements being connected to each other through a single terminal calleda station, in order to form a star network in which the said station isthe center, characterized in that the station used by at least oneaddressee is a mobile and transportable station, and is not a residentstation.

BRIEF DESCRIPTION OF THE DRAWINGS

Other characteristics and advantages of the system according to theinvention will be more obvious from the following description of aparticular embodiment involving a simple case of transporting cashbetween a central site and an addressee site, for example a small shop,this case being given as a non-restrictive illustration of the systemaccording to the invention, with reference to the attached drawing inwhich:

FIG. 1 is a block diagram of the network organization of the systemaccording to prior art described in European patent EP-0.409.725,

FIG. 2 is a block diagram of the organization of a mobile stationaccording to this invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

With reference to FIG. 1, the system according to prior art is usedparticularly for the protection of cash which has been placed in acontainer 1, for example by the manager of a bank head office, calledthe sender 2 in the remainder of this document. In the example, thecontainer 1 must be transported by a transporter 3 to an occasionaladdressee, for example a small shopkeeper.

All events preceding the transfer of cash and leading to a number oftransitions from one mode to another in accordance with the informationin prior art, are described in detail in patent EP-0.409.725, and wewill simply add here that transfers of responsibility related to thevarious logical states possible for container 1 are controlled by asingle supervising computer 4 managing the logical security of container1, in other words checking the acceptability of transitions from someoperating modes of the management means internal to the said computer toother operating modes. We will refer to the description given in priorart for details of possible transitions between various operating modesstarting from the moment at which the cash is placed inside thecontainer 1 unit its arrival at the destination site, where theaddressee must take responsibility for the cash that he is expecting.

As in prior art, the general system according to the invention as shownin FIG. 1 is composed of a star network connecting the container 1, thesupervising computer 4, the sender 2 and the transporter 3; this singleterminal is called a station throughout the rest of this description,and forms the hub of the star network.

A first station 5 is naturally located at the departure location of thecontainer 1 and, in accordance with the invention and with reference toFIG. 2, the arrival station is no longer resident, but on the contraryis mobile and transportable for all reasons described at length in thepreamble to this description, namely that the transporter can delivercash very occasionally to an addressee who may be located at anylocation without the need for the same transporter to have come earlierto install an arrival station containing sophisticated and consequentlyexpensive equipment.

With reference to FIG. 2, the mobile station 6 comprises a terminal 7with a keyboard and a screen 8, equipped with a microprocessor and asmart card reader 9 capable of receiving a personalized smart card 11 inthe possession of the correct addressee 10, in particular the smart cardbeing authenticated by a confidential code 12 given separately andearlier by the transporter to the addressee 10, under securityconditions that will be described later.

The mobile station 6 according to an essential characteristic of theinvention is completely disconnected from the supervising computer 4during the transfer, in other words there is no means of communicationbetween the supervising computer and the terminal at the time that thecash is handed over.

On the other hand, the mobile station 6 is made to communicate with thecontainer 1 through a communication interface 13 which, according to asecondary and advantageous characteristic of the invention, comprises apower supply source 14 independent of the container 1 and itselectromagnetic locking devices.

Before the envisaged cash transport, the final user 10 is issued with asmart card 11, which is very similar in its form and operation to aconventional bank card; this card 11 is first loaded with cryptographicdata which will subsequently be necessary firstly for message exchangesbetween the parties concerned on the arrival site, but also forinitialization and the smooth operation of all steps necessary toauthorize opening of the container and consequently recovery of cashcontained in it by the legitimate addressee 10, while correctlyprogramming the return of the said container to the central departuresite. Obviously, all encryption data are generated by the computer 4before departure, in this case operating as a server center. In thisway, computer 4 no longer has a direct role in the delivery steps; thisis why exchanges between the computer, the station 6 through card 11 andcontainer 1 at the destination, have been shown in FIG. 2 as thin chaindotted lines.

Note here that, like what was described in the prior patent,authentication of the part of the system that sends a messageconsequently consists of authenticating the said message itself byverification of a computer signature calculated on the contents of thesaid message by means of a key controlled algorithm, in which the keysare naturally only known to the parties exchanging the said message.

Consequently, the encryption algorithm used will advantageously be asymmetric type of algorithm, for example the DES (Data EncryptionStandard) algorithm for which the characteristics are standardized; notethat in this algorithm, the container 1/memory card 11 pair has a key K,this key K being stored in a memory of container 1 whereas the card 11which has the same key K, obviously remains protected solely by thefinal user 11. Note that advantageously, the electronic signaturedesigned to authenticate the message and its author will itself becalculated on the contents of messages making use of an algorithm thatis beneficially similar to the DES encryption algorithm that has justbeen mentioned.

Encryption and authentication keys can also be differentiated to provideeven better cryptographic security.

Finally, note that operation of container 1 is completely identical tooperation of containers fully described in European patent EP-0.409.725mentioned above, in other words container 1 in this case also operateslike a “machine with limited modes”.

In accordance with the simplified example given to illustrate theinvention, it is therefore agreed to deliver cash from a central agencyto an occasional user 10 not equipped with a resident station 5. Priorto the envisaged operation, the user 10 will have received firstly hisduly encrypted smart card 11, and secondly, and separately, a secretcode 12 corresponding to the card 11 in the same way as for bank cards.

At the same time, the supervising computer 4 generates one or severalDES type encryption keys that it will input into container 1 at the timeof departure of the cash transfer after firstly inputting them into thecard microprocessor to enable authentication of the addressee when thecash in container 1 is delivered.

Similarly, before departure from the central agency, the container orcontainers 1 for which the mobile station 6 is to be used will beinformed of this situation by an additional operation performed by themanager of the central agency; in the example, the container 1 will beprogrammed with its destination being a mobile station 6, and not aresident station 5.

When the container or containers 1 is (are) delivered, the transporter 3presents the terminal 7 to the presumed user 10, who must then insertthe encrypted smart card 11 that he holds and at the same time input hisconfidential code 12 on the keyboard of the said terminal 7. When theuser has been correctly identified, the transporter 3 retrieves theterminal to connect it through the communication interface 13 to thecontainer 1 which, after successful comparison of the authenticationcodes of the carrier and therefore of the addressee, immediately changesto open mode so that the authorized user 10 can recover the cash thatwas normally intended for him.

Container 1 is then closed again, reprogrammed and put in departure modetowards the original site, in accordance with the sequence of stepswhich are independent of the supervising computer 4 which cannot takeany action at this time.

After the removal authorization, the transporter 3 disconnects container1 from its interface 13, and the user 10 retrieves his smart card 11;the transporter 3 returns to the transport vehicle with the mobileterminal and container 1 to return to the departure site, in other wordsthe central agency.

According to one particular characteristic of the invention, anindependent printer 15 may be added to the terminal 7 in order to issuea ticket 16 to the addressee of the cash 10, forming a receipt for thecash.

Naturally, the microprocessor used on the terminal 7 will advantageouslybe used to store any information output from the containers, andconcerning traceability of operations carried out daily to sites notequipped with fixed stations 5.

What is claimed is:
 1. System for secure transport of materials from acentral departure site to a destination site, comprising: a containerwhich in case of aggression will cause destruction of the materials, thecontainer including an electromagnetic lock and being provided withinternal management means operating as a machine with limited modes, inwhich the operating cycle comprises a restricted number of logicalstates called modes with changes between the modes being accomplishedthrough transitions, one said transition from a first mode to a secondmode being the result of an isolated event, validity of each of thetransitions being checked by independent means capable of making contactwith the internal management means, the transition then beingaccompanied by an erasure of memory of the previous mode, a singleserver center in a remote location capable of getting into contact withthe internal management means of said container, at least when it is atthe departure site, to check the validity of an event that causes atransition from one mode to another mode, a station arranged as a centerof a star network, wherein the station is a mobile and transportablestation comprising a terminal, the terminal comprising a keyboard, ascreen, a microprocessor and a smart card reader, the mobile andtransportable station being unconnected to the server center andconstructed so that the mobile and transportable station can beconnected through a communication interface with the container, theinterface including an energy source to the power the terminal and thecontainer.
 2. Protection system according to claim 1, wherein eventsthat may occur at a destination location at which there is a said mobilestation, are programmed originally before departure from a central site,in management means internal to the container, transitions from one ofthe modes to another of the modes resulting from the events that mayoccur at the destination location then taking place withoutcommunication between the container and the server center.
 3. Protectionsystem according to claim 1, wherein an addressee associated with a saidmobile station holds a smart card personalized with a confidential codepreviously and separately handed over to the said addressee enabling himto firstly identify himself by inserting the card in the readervalidated by entering the confidential code, and secondly to chainopen-reprogramming-departure events, when the container is delivered,making use of the container's communication interface coupled to theterminal.
 4. Protection system according to claim 3, wherein themicroprocessor of the container and the personalized card held by theaddressee comprise computer means for authentication of messagesexchanged between the microprocessor of the container and thepersonalized card, through the terminal and the interface.
 5. Protectionsystem according to claim 4, wherein authentication of the sending partof the message consists of authenticating the message itself byverifying a computer signature calculated on the contents of the saidmessage by means of a key controlled algorithm (DES), the keys beingknown only by the parties to the exchange.
 6. Protection systemaccording to claim 1, wherein messages exchanged between parties in thesystem are encrypted by means of a key controlled encryption algorithm(DES), the keys being known only by the parties, the said algorithm(DES) being a variant of the algorithm used to create an authenticationsignature for the said message.
 7. Protection system according to claim1, wherein the terminal is equipped with an independent printerconstructed to provide an addressee with a receipt.
 8. Protection systemaccording to claim 1, wherein the terminal records all informationoriginating from the container of containers concerning traceability ofevents that occurred daily, to sites equipped with the mobile stations.9. A system for secure transport of materials, comprising: a containercomprising: an electromagnetic lock; and internal management meanscapable of operating in a predetermined number of modes, a transitionfrom a first to a second mode being checked by independent means capableof making contact with the internal management means, said transitioncausing a loss of memory of the first mode; at least one residentstation adapted to communicate with the internal management means of thecontainer; a supervising computer adapted to exchange data with the atleast one resident station; a programmable smart card; at least onemobile station located at a destination location comprising a terminalwith a keyboard and screen, a microprocessor, a smart card reader, and acommunication interface allowing communication with the container, theat least one mobile station being free of a communication connectionwith the supervising computer; wherein in operation of the system thesupervising computer sends data to the smart card and corresponding datato the internal management means of the container through the at leastone resident station as the container is secured by the electromagneticlock, the locked container then being transportable to said mobilestation to be connected to the mobile station through the communicationinterface, so that the electromagnetic lock is released only upon entryof a predetermined code through the keyboard in conjunction with passingthe smart card through the smart card reader.
 10. The system of claim 1,wherein the energy source of the interface is also adapted to power theelectromagnetic lock.
 11. A system for secure transport of materialscomprising: a container comprising: an electromagnetic lock; and aninternal management element operating as a state machine for which thereare a restricted number of logical modes between which the internalmanagement element can transition, validity of each said transitionbetween a previous said mode and a current said mode being verifiable byan independent means capable of making contact with the internalmanagement element, each said transition resulting in erasure of memoryrelated to the previous mode; a server center in a remote locationcapable of making contact with the internal management element of thecontainer, the serve center being structured and arranged to be able tocheck the validity of transitions of the internal management element ofthe container; and a mobile and transportable station comprising: aterminal comprising: a keyboard; a screen; a microprocessor; and a smartcard reader; wherein the mobile and transportable station is unconnectedto the server center and constructed so that the mobile andtransportable station can be connected through a communication interfacewith the container, the interface including an energy source to powerthe station and the container.
 12. The system of claim 11, wherein thecontainer is constructed to detect an intrusion attempt and destroy thematerials in the container if said intrusion is detected.
 13. The systemof claim 11, wherein the mobile and transportable station is constructedso that it will actuate the electromagnetic lock of the container iffirst data read from a smart card through the smart card reader andsecond data entered through the keyboard are identified by themicroprocessor as properly corresponding to one another.